[strongSwan] Strong swan IKE issue.
Tobias Brunner
tobias at strongswan.org
Tue Mar 20 08:45:57 CET 2018
Hi Andrii,
ike-scan won't help you here as it only reports on Phase 1 (IKE SA), but
your problem is during Phase 2 (Quick Mode, IPsec SA).
> Remote side is not supporting pfs.
>
> IKE Phase One Parameters:
> Encryption Algorithm: AES 256
> Hash Algorithm: SHA
> Authentication Method: Pre-shared key
> Key Exchange: Diffie Hellman Group 5
> IKE SA Lifetime: 86400 (Cisco default)
>
> IKE Phase Two Parameters (IPSEC):
> Authentication: ESP with SHA-HMAC
> Encryption Algorithm: ESP-AES 256
> SA Establishment: ipsec-isakmp (IKE negotiated)
> IPSEC Mode Tunnel (Cisco default)
> IPSEC SA Lifetime (time) 3600 seconds
> IPSEC SA Lifetime (volume) 4608000 kilobytes
> PFS (Perfect Forward Secrecy) No
>
> Optional encryption if requirements differ from above:
> esp-3des esp-md5-hmac
> esp-aes 256 esp-sha-hmac
> esp-aes 128 esp-sha-hmac
>
> This information I have from remote side.
Looks like esp=aes256-sha1! should be correct then. You could also try
esp=aes128-sha1! or esp=3des-md5! (not recommended though). And if this
doesn't work, ask the remote admins for the correct settings (they
should see in the log why the proposal was rejected).
> Is it possible to se what offer remote side?
No (unless you do what ike-scan does i.e. try a number of possible
combinations).
Regards,
Tobias
More information about the Users
mailing list